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In this paper, we first point out that some recently proposed quantum direct communi- 
cation (QDC) protocols with authentication are vulnerable under some specific attacks, 
and the secrete message will leak out to the authenticator who is introduced to authen- 
ticate users participating in the communication. We then propose a new protocol that is 
capable of achieving secure QDC with authentication as long as the authenticator would 
do the authentication job faithfully. Our quantum protocol introduces a mutual authen- 
tication procedure, uses the quantum Bell states, and applies unitary transformations in 
the authentication process. Then it exploits and utilizes the entanglement swapping and 
local unitary operations in the communication processes. Thus, after the authentication 
process, the client users are left alone to communicate with each other, and the authen- 
ticator has no access to the secrete message. In addition, our protocol does not require a 
direct quantum link between any two users, who want to communicate with each other. 
This may also be an appealing advantage in the implementation of a practical quantum 
communication network. 
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1 Introduction 

Quantum key distribution (QKD) is an approach using quantum mechanics principles for the 
distribution of a secret key with unconditional security [H [3] . Recently, there have been 
theoretical progresses and experimental demonstrations for the QKD protocols (HG30E1H1H]. 
Different from QKD, a quantum direct communication (QDC) protocol is to transmit directly 
a secret message without generating in advance a secret encryption key between the parties 
who want to communicate with each other. After the first proposal by Beige et al. 10J, 
many QDC protocols have been proposed [HJ Q21 Q21 HH [HI [16] . But most QDC protocols 
are susceptible to the man-in-the-middle (MITM) attack in which the eavesdropping attacker 
makes extra connections with the victim users, and relays messages between them while 
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making them believe that they are talking directly to each other over a private connection. 
In fact, the entire message communication is under control by the attacker. In order to 
prevent the MITM attack, several quantum authentication schemes have been put forward 
[T7[ fT8l [19l [20] [21] . Recently, Lee et al. [22] proposed two protocols which combined QDC 
with user authentication. User authentication is to assure the communicating party is the 
one that he/she claims to be and the message is only communicated between the authentic 
users. This mechanism plays an important role in secure message communication against the 
MITM attacks. However, Zhang et al. {23j pointed out that in the two protocols of Lee et 
al, the authenticator Trent who is introduced to authenticate the users participating in the 
communication should be prevented from knowing the secret message. They also showed that 
these two protocols are vulnerable to some specific attacks by Trent. To prevent the attacks, 
they revised the original version of the protocols by using the Pauli Z operation a z instead 
of the original bit-flip operation X [33] . 

In this paper, we first point out that the improved version of the protocols proposed by 
Zhang et al. still cannot prevent the authenticator Trent from knowing the secret message 
if Trent would prepare different initial states. To prevent both the authenticator Trent and 
an eavesdropper Eve from knowing the secrete message, we propose a new quantum protocol 
that is capable of achieving secure QDC as long as the authenticator Trent would do the au- 
thentication job faithfully. In our protocol, we introduce a mutual authentication procedure, 
use the quantum Bell states instead of the GHZ states in [22] [23], and apply the unitary 
transformations in the authentication process. Then we exploit and utilize the quantum en- 
tanglement swapping and local unitary operations in the communication process. In addition, 
our protocol which uses the beautiful feature of quantum entanglement swapping does not 
require a direct quantum link between any two clients/users who want to communicate with 
each other. This may also be an appealing advantage in the implementation of a practical 
quantum communication network. 

Similar to most of the proposed QDC protocols in the literature [Til H21 H3] E] [15], [TB] 
[22] [23], we present the proof-of-principle illustration of our secure QDC protocol against the 
attacks by eavesdroppers, impostor users and authenticator. In a realistic implementation 
of a QDC protocol, there are many other practical issues that need to be considered. For 
example, (i) the noise (depolarization and dephasing) in the quantum communication chan- 
nels, (ii) the imperfection of the Bell-state (EPR) source and distribution, (iii) the errors that 
may occur during the quantum information storage, quantum gate operations and quantum 
measurements, and (iv) the photon loss inevitable in propagating light over distance through 
optical systems (if a photonic implementation of the QDC protocol is adopted) are important 
problems that need to be dealt with. Issues similar to the first three mentioned above for 
our QDC protocol have been discussed by Lo and Chau [5] in the context of the security of 
QKD over arbitrarily long distances. They have shown that by combining the ideas of quan- 
tum repeaters and fault-tolerant quantum computation, the security of QKD in the presence 
of source, device, and channel noises as well as operation and measurement errors could be 
made unconditionally secure. As to make quantum state robust against photon loss, recently 
Wasilewski and Banaszek |24j have proposed a three-photon quantum error correction code 
to protect an encoded qubit against a single-photon loss. They have also discussed the prepa- 
ration of the code as well as quantum state and process tomography in the code space using 
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linear optics with single-photon sources and conditional detection. We may apply the results 
of these studies [24] (and references therein) to argue that our QDC protocol could also be 
made secure in a realistic setting under similar conditions. However, an in-depth investigation 
to demonstrate that each of the practical issues mentioned above for our QDC protocol could 
be really resolved may be still required, but that is beyond the scope of this paper. Never- 
theless, we show here that our QDC protocol is secure against the attacks by eavesdroppers, 
impostor users and authenticator. 

2 Attacks by the authenticator using different initial states 

In order to introduce our mutual authentication process later and to discuss our proposed 
attack by the authenticator Trent on the improved version proposed by Zhang et al. [23| , we 
first summarize the authentication part in the protocol by Lee et al. |22j as follows. 

(1) The client users register their secret identities and one-way hash functions with the 
authenticator Trent and then go apart. The user's authentication key shared with Trent can 
be calculated as h uscr (ID uscr , C uscr ), where ID user is the user's secret identity sequence and 
Cuser is the counter of calls on the user's hash function, h uscr . [22] 

(2) When Alice asks Trent that she would like to communicate with Bob, Trent generates 
N tripartite GHZ states |W) with |^) = ^g(|000) + |111»atb and i = 1,2,- • - 7 N. The 
subscripts of A, T, and B correspond to Alice, Trent and Bob, respectively. Trent then makes 
unitary operations 1(H) on \^f) according to the authentication key bit values 0(1) of Alice 
and Bob, respectively. 

(3) Trent distributes the particles of A sequence to Alice and the particles of B sequence 
to Bob. 

(4) Alice and Bob make reverse unitary operations on the received particles with their 
own authentication keys, respectively. 

(5) After making local measurements in the a z basis on a subset, Alice and Bob can 
compare the results through a classical public channel. 

If the error rate is higher than expected (i.e., existence of an eavesdropper in the commu- 
nication), then Alice and Bob terminate the protocol. Otherwise, they can confirm that their 
counter parts are legitimate and the channel is secure. Alice and Bob can then execute the 
message transmission procedures with Trent. However, as it is pointed out by Zhang et al. 
|23j . the protocols by Lee et al. 22J are vulnerable to the insider Trent with the intercept- 
measure-resend attack, and therefore they proposed two improved schemes with different 
unitary operations H(HZ) instead of 1(H) on Lee et al.'s protocols. 

We now show below the improved version of the two protocols proposed by Zhang et al. 
|23j still cannot prevent the attack from the authenticator Trent if he prepared different initial 
states from the states that he is supposed to prepare. For example, if Trent wants to know 

Alice's secret message, he could prepare the initial state |\fr) as ^=(| + ++) + | ))atb 

instead of -^(|000) + 1111)) 

ATBi where |±) denotes ^(|0) ± |— )) as usual and the subscripts 
of A, T, and B indicate Alice, Trent and Bob's particles (qubits), respectively. Then, after 
Alice's encoding operation H& or H&Z& as in [53], the state will become either t^(|0 + +) + 

|1 ))atb or 7tj(|1 + +) + |0 ))atb- If the authentication is verified, Alice can send 

her qubits either to Bob (protocol 1) or to Trent (protocol 2) [53]. Then if Trent, just like 
the attacks proposed in [23], intercepts ( protocol 1) or receives (protocol 2) Alice's qubit and 
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measures it in the {0, 1} basis, he can then unambiguously figure out the encoding operation 
and thus the bit value of Alice after he has also measured his own qubit in the {+, — } basis. 
In other words, if the measurement outcome is (0, +)at or (1, —)at, then Trent can conclude 
that Alice has performed a Ha operation corresponding to the bit value of 0. Otherwise, if 
the measurement outcome is (1, +)at or (0, — )at, then Alice has performed HaZa operation 
corresponding to the bit value of 1. In this way, Trent can obtain Alice's whole bit string 
including both the random bit string and the secret message. As Alice will publish the 
information regarding which qubits are used as the check qubits in public, Trent can then 
remove the random check bits. As a consequence, Trent will have complete knowledge of 
Alice's secret message. After Trent's attack, he resends Alice's qubit to Bob (protocol 1). 
The different initial states might cause the error rate higher than expected. Alice and Bob 
will, in this case, conclude that there is an eavesdropper in the communication. But they still 
think the secret message has not leaked out. On the contrary, the secret message, in fact, has 
already leaked out to Trent. So Trent can use the prepare-intercept-measure-resend attack on 
the improved scheme of protocol 1 or the prepare-measure attack on the improved scheme of 
protocol 2 proposed by Zhang et al. 23 to completely know the secret message. 

3 Quantum secure direct communication with mutual authentication 

In this section, we present a new QDC protocol that is able to prevent all the specific attacks 
mentioned. It may also seems that all the attacks mentioned above could be avoided if the 
authenticator Trent is reliable. In fact, to the best of our knowledge, nothing in the existing 
proposed protocols prevents an imposter to step in and pretend to be the real authenticator 
Trent between a genuine user and unlawful receiver. Our proposed protocol can, however, 
prevent such attack through mutual authentication. 

In the protocols by Lee et al. 22J and by Zhang et al. 23J as well as in our protocol 
described later, Trent, as an authenticator, is considered to be more powerful than the rest 
of other parties or users. For example, all the user's secret identities are known to the 
authenticator Trent, and all the quantum resources are issued by him. It is thus important 
in the communication protocol that we should first at least make sure whether "Trent" is 
the genuine authenticator or not. If not, some illegitimate party might pretend to be Trent, 
then allow Alice to pass the authentication process, and finally obtain the secret message. 
For instance, the imposter Trent might simply ask a fake Bob to receive the secret message 
from Alice and get the secret message from the fake Bob later. We thus ask, in our protocol, 
the users/clients also to authenticate Trent to prevent an imposter to step in and act as the 
authenticator. Of course, if the real authenticator Trent would like to eavesdrop or steal the 
secret message, his role will then become similar to the imposter Trent and he may also ask 
a fake Bob to receive the secret message from Alice. This problem of a fake Bob could, for 
example, possibly be found (although not always perfectly and immediately) by allowing the 
users/clients to access the classical public channel at any time. If someone pretends to be 
Bob to communicate with Alice, the real Bob may discover this event during the attack. 

Nevertheless, if the real Trent will do his authentication job faithfully, then it is desired 
that a scheme to prevent an imposter Trent from being able to manipulate the authentication 
and communication processes, and to steal the secret message later is available. We show 
below that our protocol with mutual authentication can accomplish that goal and thus achieve 
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secure QDC. The classical part of the generation of the authentication keys of the users in 
our protocol is similar to that in Lee et al. [22] when they registered to the authenticator 
Trent. The secret identity sequence, ID, and one-way hash function, h, of each user are 
known to Trent. For simplicity, we denote the authentication keys of Alice and Bob as 
AKa = 1ia(IDa,Ca), AKb — }ib{IDb,Cb), respectively. C, is the counter of calls on the 
user's hash function, where i = A, B. If the length of AKi, denoted as k, is not large enough 
to cover the necessary operations, new authentication keys can be created by increasing the 
counter Cj as described in Ref . |22 j . In order to secure the authentication process to prevent 
an imposter authenticator to step in, we ask the user/client to authenticate Trent too. It is 
thus a mutual authentication process. In order for the users to be able to authenticate Trent, 
as well as to prevent Trent's different initial state attack, extra quantum resources, which 
include the introduction, manipulations and measurements of extra ancilla qubits, are issued 
by the users in our authentication protocol. Again, the reason why to authenticate each other 
in a mutual manner is to prevent the presence of an imposter authenticator and unlawful 
users to steal the secrete message. 

One of the reasons why we use the Bell state instead of the GHZ state in our protocol is to 
improve the authentication process and to prevent the authenticator Trent from learning too 
much knowledge about the secret communication. We believe Trent's responsibility is only 
to authenticate the users/clients who want to communicate with other users/clients. As we 
will show later, after Trent finishes his authentication job, he will be prevented from knowing 
the secret message if the Bell state pairs and entanglement swapping are employed. Another 
reason why using the Bell state is that the two-particle Bell state can be used in a peer to 
peer environment, while the three-particle GHZ state used in Refs. [H] [53] has to involve 
with the third party's cooperation. That means if Trent wants to authenticate Alice in the 
protocols of Refs. [H1H3], he needs Bob's honest assistance if the GHZ state is used. This 
will not be good as Alice's authentication has to depend on whether Bob is honest or not. In 
our authentication procedure the GHZ state is also used, but this three-particle GHZ state is 
however a joint state between Trent's qubit, Alice's qubit and an ancilla qubit. This ancilla 
qubit is introduced and controlled, for example, by Trent when he wants to authenticate Alice. 

In addition, the process of the user authentication should be closely connected to the 
message communication process in order to protect against the attack of modification, delay, 
replay, and recording [25] which could occur between these two processes. We use the quantum 
entanglement swapping scheme [26] with the Bell states to bridge these two processes. That 
means the secret message will be transmitted only after the successful authentication. 

The details of our protocol will be presented below. In Sec. 13.11 the important concept of 
entanglement swapping is discussed. The mutual authentication process which uses the Bell- 
state entanglement swapping and local operations is described in Sec. 13.21 The communication 
process which also employs the entanglement swapping and local operations are described in 
Sec. 1331 

3.1 The scheme of entanglement swapping 

Entanglement swapping [26j is a method that enables one to swap the entanglement of two 
entangled pairs of quantum particles into that of two new pairs by local operations (see Fig.[T]). 
The newly entangled particles may be spatially separately, without interaction and without 
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Table 1. Transformation table between the Bell state basis and computational state basis. This 
table not only illustrates |</>+)=-^=(|00) + |ll)) or |i/>~) = -i=(|01)-|10)) columnwisely, but also il- 
lustrates \00) = ^=(\(/> + ) + \<t>-)) or |10>=-i=(|V' + )-|V , ">) rowwisely. 



Basis 




\<t>~) 
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1 00) 
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V2 
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|01) 
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1 10) 
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111) 
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V2 
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pre-shared entanglement between them. To illustrate that, we first introduce four Bell states 
(or EPR pairs) as follows: 

|^> = i=(|00>±|ll>), 

|^> = -L(|oi>±|io». (i) 

The computational basis states, from Eq. {1}, can be expressed in terms of the four Bell basis 
states as: 

ioo> = i=(i0+> + ir», 
in) = i=(i^+) - ir )), 

ioi> = i=(hA + } + hn), 

|lO) = i=(^ + )-|V-))- (2) 

Table [1] illustrates the transformation between the Bell state basis and the computational 
state basis. 

Initially, if two parties each owns two particles, one in each of the shared two entangled 
pairs 1-2 and 3-4 in \<j) + ) states as shown in Fig.[lja), then the quantum state of the two Bell 
pairs can be rewritten as [27] . 

\<f> + ) 12 ® \<f>+) 34 

= ^(i0 + )i0 + ) + ir)ir) + i^ + )i^ + ) + i^-)i^))i324. (3) 

If the party who initially owned the particles 1 and 3 makes a measurement in the Bell 
basis locally as illustrated in Fig. [IJb), then the system will swap the entanglement pairs 
from 1-2, 3-4 into 1-3, 2-4 illustrated in Fig.[TJc). Depending on the measurement result, the 
resultant state is in one of the four Bell pairs in Eq. §5§ with equal probability of |. The 
particles 2 and 4 would thus [TH [55] be entangled. Similar results can be obtained if the 
initially shared entangled states are the Bell states other than \4>+). The most significant 
feature of entanglement swapping is to enable one to entangle two quantum systems (2 and 
4) that do not have direct interaction between them by a Bell basis measurement (on 1 and 
3). 
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Fig. 1. Graphical illustration of the entanglement swapping scheme, (a) Two EPR pairs are 
shown in this figure, the dash line represents the entanglement shared between the two particles, 
(b) The action of Bell basis measurement is represented with M. (c) The measurement causes the 
entanglement swapping. 



3.2 mutual authentication process 

After sharing the authentication keys with Trent, respectively, as described in Sec. 02 the 
clients/users, say Alice and Bob, might leave Trent and go apart. Suppose neither Alice nor 
Bob can see each other in a network environment. When Alice wants to communicate with 
Bob, she and Bob must go through the authentication process with Trent first. We now 
introduce the scheme of quantum Controlled- NOT operations as well as local operations into 
our mutual authentication process. This authentication process is illustrated schematically 
in Fig. [5] and is described in detail as follows. 

(1) Once Trent receives Alice's request, he prepares an ordered N + 2v two-particle Bell 
states, each of which is in, for example, the state \4> + ) — ^jGOO) + |H))tAj where N is the 
number of secret message bits that is intended to be transmitted in this round and v is a 
sufficient large number for checking the noise of the quantum channel. In general, v > I a, 
where I a is the length of Alice's authentication key, AKa- Trent keeps one of the particles 
(qubits) in each of the ordered N+2v two-particle Bell pairs to form an ordered particle (qubit) 
sequence, called the T sequence. He then encodes each particle of the other correspondingly 
ordered sequence, called the A sequence, by an operation H or I according to the bit value 
of AKa being 1 or 0, respectively. That is , if the key bit value is 0, a H operation is 
performed on the particle; otherwise, nothing is done. Since the number N + 2v is normally 
larger than the length I a of AKa, the key bits of AKa will be reused from the beginning 
for encoding. The process will be repeated until all N + 2v particles in the A sequence are 
encoded with corresponding H/I operations. Trent then sends the encoded particles of the 
ordered A sequence to Alice. 
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Fig. 2. Pictorial illustration of the authentication scheme, (a) Trent prepares an ordered N + 2v 
two-particle Bell states \<f> + ) = "^jdOO) + |H))ta> and encodes each of the particles of the A 
sequence by operation H (I) according to the bit value of (1) of AKa, here only one pair in 
verifying set V and Alice's ancilla particle are shown, (b) Trent sends the particle A to Alice, 
Alice then decodes the particle by operation H (I) also according to the bit value of (1) of 
AKa- (c) Alice uses the decoded particle to make the CNOT operation on the ancilla. (d) The 
ancilla particle will be entangled with the original two particles, (e) Alice and Trent perform the 
operation / (H) on their own particles according to the bit value of (1) of AKa separately, (f) 
The Steps of recovering is also depended on the bit value of AKa- If the bit value of AKa i g 0, 
Alice makes the operation CNOT on the ancilla a again. The ancilla will leave the entanglement 
after the operation CNOT. (g) If the bit value of AKa m lj Alice measures the ancilla a. Alice 
then makes the operation I (X) on the particle A according to the measurement result of ancilla 
being (1). 
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(2) After receiving the A sequence, Alice decodes each of the particles by an operations 
H or I also according to the bit value or 1 of AKa as Trent did. The state of each of the 
ordered N + 2v two-particle Bell pairs will return to its initial state, (| 00) + |11))ta- She 
then chooses randomly a sufficient large subset of size v from the A sequence, and pairs each 
of the chosen particle with its corresponding counterpart in the T sequence into a verifying 
set V . One pair of particles in set V is shown in Fig. [2] (a) and (b). She also prepares v ancilla 
particles, called the a sequence, each of which is in the state |0). She uses the particles which 
she owns in set V to be the control qubits and makes the quantum Controlled- NOT operations 
(CNOT) on the target qubits of the ancilla a in sequence. Then, as shown in Fig.[2](c) and (d), 
each of the ancilla particles (qubits) will be entangled with the original two particles (qubits) 
in the Bell state. These three particles will then be in the state -^(|000) + |lll))r^ a , where 
the subscripts of T, A and a denote the Trent, Alice and ancilla particles, respectively. Note 
that this state is just the quantum GHZ state used in the protocols of Lee et al. [22] and by 
Zhang et al. [23]. The difference is that here the third particle, the ancilla qubit, is introduced 
and controlled by Alice when she is about to authenticate Trent. 

(3) Alice goes to identify Trent in case that some illegitimate party might pretend to 
be the authenticator Trent or Trent might prepare different initial states to steal message. 
She makes operation I (H) on each of her two own particles according to the bit value 
(1) of AKa- For example, if the ith bit value of AKa is 0, Alice performs the identity 
operation I on each of her two particles in the ith position in set V. Then, the three particles 
would remain in -1=(|000) + |lll))TAa- On the contrary, if the ith bit of AKa is 1, she 
performs the operation H on each of her two particles and the three particles would become 

2^(|0(0 + 1)(0 + 1)) + |1(0 - 1)(0 - l))) T Aa- 

(4) Alice tells Trent the positions of the set V particles in the original N + 2v sequence and 
tells him that she has finished the transformation operations over a classical public channel. 
Trent then also makes operation / (H ) on his own particle according to the bit value of his 
own key AKa m set V in sequence. For example, if the ith bit of AKa is 0, the three particles 
would still stay in ^=(|000) + \ lll))TAa- Otherwise, if the ith bit of AKa is 1, as illustrated 
in Fig.[2Je), the three particles would become 

{H®H® #) Tj4q -L(|000) + \lll)) T Aa 

=> |(|(00 + 11)0) + |(10 + 01)l))TAa- (4) 

(5) After Trent tells Alice that he has finished his operations over a public channel, Alice 
will perform different operations for each pair in set V according to the ith bit value of AKa- 
If the ith bit value of AKa is 0, she will make the operation CNOT on the ith ancilla a again 
with particle A as the control qubit. Then the ancilla qubit will lost the entanglement with 
the pair of qubits T and A as shown in Fig. [2Jf). On the contrary, if the ith bit value of AKa 
is 1, Alice will measure the ith ancilla particle a in the computational {0,1} basis, i.e., the uz 
basis. If there is no eavesdropping or interference, Alice will obtain either or 1 with equal 
probability 1/2. If she obtains 1, she makes the operation X on the particle A. Otherwise, 
nothing is done. These actions are shown in Fig.[2Jg). After this, the pair of the two particles 
T and A in set V should return back into the original Bell state after consuming the ancilla, 
provided that there is no eavesdropper, Eve, present. 
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Table 2. Relations between the initially prepared Bell states, the measurement result of ancilla, 
and the recovering operations on the home qubit when the bit value of AX of the other party is 1 . 



Initial prepared 
Bell States 


Recovering operations on the self qubit 


ancilla's outcome: 


ancilla's outcome: 1 


I0 + >=75(|OO)+|11» 


/ 


X 


l<n=75(|00)-|ll» 


X 


I 


I^ + >=^(|01>+|10» 


iY 


Z 


hr)=^(loi>-[io» 


Z 


iY 



(6) Now, Alice is going to authenticate Trent as well as to check the presence of Eve. After 
Alice measures her own particles (qubits) in set V one by one in the az basis, she informs 
Trent that her measurements are finished (but does not reveal her measurement results) in 
public. Trent then also measures his own particles in the az basis and tells Alice the results 
in public. At last, Alice compares her results with those of Trent's to authenticate Trent. If 
they have a sufficient large number of results that are the same, Alice [21 [29] accepts that 
Trent is the real Trent (the authenticator) and she proceeds the steps to be authenticated by 
Trent. Otherwise, if the error rate is too high, she just stops the procedure. 

(7) Next, Trent will authenticate Alice. This reverse authentication procedure could be 
much simpler as compared with the above steps. This is because Trent owns the particle he 
prepared in the very beginning and does not need to check possible different initial state attack 
by Alice, so no extra ancilla qubits need to be introduced. If Alice can decode the A sequence 
in Step 2, the remaining N + v pairs will all return to the initial state, ^~(|00) + \11))ta- Trent 
then randomly selects v particles in the remaining T sequence and pairs with Alice's particles 
in A sequence to form the reverse verifying set V . He then measures his own particles (qubits) 
in set V one by one in the az basis, and informs Alice that her measurements are finished in 
public. Alice then also measures his own particles in the az basis and tells Trent the results 
in public. Trent then compares his results with those of Alice's to authenticate Alice and 
also check the existence of Eve. If their measurement results agree with a sufficiently high 
probability, Trent [HI |2"9"] accepts that Alice is a legitimate user/client. Otherwise, if the 
error rate is too high, he just stops the procedure. This is exactly the reverse process in Step 
6 with the interchange of the roles of Alice and Trent. 

(8) After the mutual authentication is finished, there still are N pairs of the Bell state 
^(|00) + |11))ta between Trent and Alice's qubits. Note that the local operations after the 
measurements of the ancilla qubits in Steps 5 depend on the initially prepared Bell state. 
In the above example, the initial and recovered Bell state is -^=(|00) + Other Bell 
states can also be used in our protocol with a slight modification of the local operations. 
Their relations are illustrated in Table O Since both Alice and Trent choose the verifying 
sets at random, they could also check the security of the channel during the authentication 
steps. Not only the illegitimate party but also the existence of the eavesdropper Eve could be 
detected during the verification process. Furthermore, the message communication process 
will proceed only if the authentication process is successful. If the channel is too noisy with 
a high error rate, they would stop the procedure and start over again. 

(9) Finally, Trent notifies Bob that Alice wants to communicate with him. Likewise, Bob 
and Trent can authenticate each other. If nothing goes wrong, they will also keep N pairs of 
the Bell state -4(|00) + |11)) TS . 
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3.3 Communication process 

After finishing the authentication process, Trent's qubit is entangled with Alice's qubit in 
the Bell state -75 (| 00) + |11)) and likewise also with Bob. We describe below a session-key 
based communication process |25] which uses the skills of entanglement swapping. Here, 
the session key indicates that the sequence of the entangled states between Alice and Bob's 
qubits, generated as a result of the Trent's entanglement swapping measurements, is used for 
only one particular communication session. The detailed communication process is described 
as follows. 

(1) Trent makes a Bell measurement on his own two qubits, one particle entangled with 
Alice's qubit and the other entangled with Bob's qubit, in each of the N Bell pairs in sequence. 
Each time Trent will obtain a result with equal, probability 1 /4 out of four possible outcomes 
corresponding to the resultant four possible Bell states in which Alice's qubit and Bob's 
qubit will be entangled. In other words, as a consequence of Trent's Bell measurement, the 
entanglement has been swapped into the joint state of Alice and Bob's qubits. However, Alice 
and Bob do not know exactly which entangled Bell state their qubits really share so far. Note 
that there is no qubit (particle) transmitted between Alice and Bob, so the eavesdropper Eve 
cannot obtain any quantum information during this process. 

(2) Trent announces the results of his Bell measurements in sequence over a classical public 
channel. Another appealing feature as a result of the entanglement swapping is that Trent will 
leave the clients, Alice and Bob, alone to communicate with each other. In other words, after 
the authenticator Trent finishes his job, he will not be involved in the message communication 
process and thus he is prevented from learning the secret message. 

(3) After Trent's public announcement, Alice and Bob then have the knowledge about the 
identity of each of the shared Bell state between their qubits in the sequence. They can use 
the sequence of the shared entangled Bell pairs to send the secret message using the following 
two different schemes. 

(i) They may use the scheme of dense coding, first proposed by Bennett and Wiesner 28J , 
to transmit two classical bits of information using one entangled Bell pair. As Alice and Bob 
know which Bell state they share, say in |</> + ) = -1=(|00) + |11)), Alice can then determine 
and encode the two classical bits that she wants to send to Bob (00,01,10 and 11) into the 
unitary operation (U=I,X,Z or iY) performed on her particle (qubit) of the Bell pair. Alice 
then sends her particle to Bob. After Bob receives Alice's particle, Bob can measure the two 
particles in the Bell basis and obtain Alice's encoded information. At the end of the direct 
communication process, Alice can send 2N bits of classical information to Bob with these 
remaining N entangled Bell pairs. However, since Alice's particles are transmitted to Bob, 
Eve might intercept them in the middle. To guarantee secure communication, some randomly 
chosen entangled Bell pairs have to be used to check if Eve is eavesdropping [12l [16] . 

(ii) As mentioned, the above dense coding scheme requires that there is a quantum channel 
between Alice and Bob so that Alice can send her qubit to Bob. This, however, may not be 
practical in a realistic quantum communication network, as a direct quantum link is required 
to be established between every two users/clients who want to communicate with each other. 
To overcome this problem, we use a scheme [HJ [55], which also utilizes the entanglement 
swapping together with local quantum operations, to encode and transmit the message. This 
scheme, proposed in the encoding-decoding step in Refs. |14[ [29] . does not need the qubits to 
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be transmitted between Alice and Bob, and thus no quantum channel is required between 
them. It, however, uses two entangled Bell pairs between Alice and Bob to transmitted two 
bits of information. For example, in this scheme in Refs.fTU [29], Alice and Bob agree to 
apply one of the 4 different unitary operations (say U=I,Z,X or iY) on one particle of the 
two entangled Bell pairs to encode one of the 4 different 2-bit messages (say 00,01,10 or 11). 
Suppose that the state of the two entangled pairs, 1-2 and 3-4, is the state of Eq. ([3]). After 
Alice applies one of the local unitary operations, say Z, on one of her two own particles, say 
particle 1 in Eq. ((3]), according to her bit string values of 01, the state becomes 

Z 1 (|0+) 12 ®|0+) 34 ) 

= ^ir)i0 + ) + i0 + )ir) + ir)i^ + ) + i^ + )ir))i324. (5) 

Alice can perform a Bell state basis measurement on her two particles, say particle 1 and 3, of 
the two entangled Bell pairs. This then results in the entanglement swapping to the pairs of 
1-3 and 2-4. She then announces the measurement result, say in state, to Bob through 
a classical public channel. Then after Alice's Bell measurement, Bob should obtain \ip + ) by 
his Bell basis measurement. Bob can read out Alice's bit string value 01 after comparing 
the results of his own Bell basis measurement with Alice's. This scheme takes advantage of 
entanglement swapping. As a result, it does not require a quantum channel between Alice 
and Bob and it also avoids the possible eavesdropper gaining any meaningful information 
of the secret message during the communication process. Note that the resultant shared 
entangled Bell states between Alice and Bob's qubits in our protocol are dependent on the 
Trent's Bell measurement results. Thus the entangled Bell states might not be all the same 
as those used in our example or in Refs.[T4, 29 1. This, however, is not a problem as using 
two entangled pairs with different Bell states can also do the job if they know what the states 
they share [27]. Repeat the procedure in sequence, N entangled Bell pairs can transmit only 
N bits of information. But this may not be a disadvantage since to check and guarantee no 
eavesdropping in the dense coding scheme, the consumption of entangled pairs may be large 
[14] and might even be larger than N/2. 

4 Discussions and security analysis 

Before we conclude, a remark between our protocol and a QKD-like scheme as well as a 
security analysis of our protocol are in place. 

4-1 Comparison with a simple QKD scheme 

If the whole point of our protocol up to step (3) of Sec. 13. 3( i.e., entanglement swapping 
after successful mutual authentication, is to certify only that Alice and Bob, the two users 
who want to communicate with each other, share perfect EPR pairs, then one may think 
that a simpler way, as is used in QKD, may be employed to do the same job. For example, 
if Alice would like to communicate with Bob in an EPR-pair-based QKD scheme for QDC, 
she may need (or ask someone else) to generate EPR pairs, then transmits halves of the 
EPR pair qubits to Bob and keeps the other halves to herself. Alice and Bob measure and 
then compare over a classical authenticated channel the randomly selected X- or Z-basis 
measurement results on some randomly chosen EPR pairs they share originally. If their 
measurement results and their authentication keys (secrets) agree, then they are certain that 
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the remaining pairs they share are perfect EPR pairs and that the other party is the real 
Alice or the real Bob. Otherwise, they may conclude that the quantum channel Alice used to 
transmit qubits to Bob was too noisy, or that an eavesdropper Eve has interfered in the qubit 
transmission process. Indeed, this QKD-like scheme combining with secure, authenticated 
classical channels can certify that Alice and Bob share perfect EPR pairs. So the absolute 
security of the classical authenticated channels must be guaranteed for this QKD-like scheme 
for QDC to work. Suppose there is a shared secret key beforehand between the two users, Alice 
and Bob. They may apply the classical Wegman-Carter scheme [30] for authentication and 
for the comparison of the measurement results. For example, they can use the shared secret 
key to create Wegman-Carter tags and then compare the hash values computed from the tags 
and the message that contains the measurement results. The Wegman-Carter authentication 
scheme [3U] is unconditionally secure provided that the shared secret key bits used to create 
the tags arc different each time. But if Alice and Bob would like to authenticate each other 
again for another communication, then the shared secret key bits used to create the tags will 
be gradually used up in the Wegman-Carter scheme [31]. It was pointed out in Ref. [3T] 
that the secret key bits cannot be reused without compromising the provable security of the 
Wegman-Carter authentication scheme [30]. So if no further process to replace or refresh the 
secret key bits, then the provable security of the Wegman-Carter authentication scheme [30] 
may concede. One may use quantum channels to transmit new secret key bits as is done in 
QKD. But if a secret encryption key needs to be generated each time in advance between 
the parties who want to communicate and authenticate with each other, then this QKD-like 
scheme is similar to formal QKD rather than QDC that is intended here. 

In addition, in the QKD-like scheme each user needs to generate EPR pairs for every other 
users or a third party, say Trent, should be asked to prepare and distribute the EPR pairs 
for every users. But if Trent does not play also the role as an authenticator, then any two 
users have to authenticate and compare the measurement results directly between themselves 
through authenticated classical channels. As a result, each user needs to share a different 
secret key with every other user, and an authenticated classical channel is required between 
any two users who want to communicate with each other. Furthermore, if there is a new 
client, say Charlie, wants to join this communication network, his shared secret key needs to 
be generated and distributed securely between him and the rest of every client user. These 
may not be practical in the implementation of a realistic quantum communication network 
as there may be many users in the network and they may be spatially far apart. These are 
the reasons why in the protocols of Refs. [22l [23] as well as in our protocol, an authenticator 
Trent is introduced in the QDC network. Thus one should consider applying the QKD-like 
scheme to the similar protocols with an authenticator Trent. 

Compared with the QKD-like scheme, there is, however, no classical authenticated channel 
used in our protocol. The classical channels used in our protocol are public channels. They 
are not used to authenticate but are used to broadcast (exchange) the classical information 
and measurement results between the participants in public, as are used in Refs. [2"2l 123]. 
The generation and registration of the classical authentication keys of the users by the au- 
thenticator, as similar to that in Refs. [33] [53], does not mean the classical authenticated 
channels are used. Since the users will go apart after getting their authentication keys respec- 
tively and since no further encryption scheme is used in the classical public channels in our 
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protocol, the users and authenticator cannot securely authenticate each other through the 
classical public channels remotely. The classical authentication keys of the participants are, 
however, encoded with local quantum operations H/I onto the EPR pairs of the verifying 
sets as illustrated in Sec. 13.21 Our authentication scheme is based on quantum entanglement, 
quantum operations and the randomness of quantum measurement results. So the presence 
of Eve will be discovered, and no useful information about the secret authentication key may 
be inferred in our protocol at least for the several possible Eve's attacks presented in Sec. 14.21 
Furthermore, our protocol can also avoid Trent's different initial states attack that the proto- 
cols in Refs. [221 [53] fail to prevent (see Seed]), as extra quantum resources, which include the 
introduction, manipulations and measurements of extra ancilla qubits, are issued by the users 
in our authentication protocol when the users authenticate the authenticator Trent. Next, we 
perform a security analysis of our protocol and show that this is the case. 

4-2 Security analysis 

Since after successful mutual authentication process, our protocol utilizes entanglement swap- 
ping and local quantum operations in the communication process. As a result, it does not 
require a direct quantum link between any two users who want to communicate with each 
other and thus it also avoids the possible eavesdropper gaining any meaningful information 
of the secret message during the communication process. We therefore focus the security 
analysis only on the authentication process. For simplicity, we assume Trent prepares the 
initial EPR pairs in the state \4 >Jr ) r pA — 

-4(|00) + \\1))ta as before. 

First, if there is no eavesdropping and no other interference, the resultant state, after the 
H/I, H/I, CNOT, I/H and I/X operations according to the corresponding bit value of the 
authentication key and the local measurement result of ancilla qubit, should return back into 
its initial state \4> + )ta as illustrated in Sec. 13.21 Alice and Trent can then authenticate each 
other and detect the existence of Eve by comparing the Z-basis measurement results of their 
respective qubits in this EPR state. If these measurement results agree, then they are sure 
that the opposite party really owns the pre-issued authentication key and holds halves of the 
EPR pairs. An important observation of our authentication scheme is that no matter what 
the bit value of the authentication key is, the pair of the two particles T and A in the verifying 
sets V return back into the original Bell state, -t=(|00) + |11))ta, after consuming the ancilla 
as described in Step (5) of Sec. 13.21 So the Z-basis measurement result of either or 1 of 
particle T obtained with equal probability and then announced in public by Trent reveals no 
useful information of the secret bit value of the authentication key, AKa ■ Similarly, the state 
of each pair in the verifying set V' is also back to ;4(|00) + |11))tm and thus no information 
on the secret bit values of Alice's key can be inferred from the public announcement of Alice's 
qubit measurement results when Trent authenticates Alice. 

Second, Eve may use intercept attack, that is, Eve intercepts the EPR particles sending 
to Alice, pretends herself to be the legitimate user Alice and tries to cheat Trent into an 
acceptance of her as Alice during the authentication process. Eve who did not know Alice's 
key though can, while authenticating Trent, just (pretend to be Alice to) accept Trent's 
measurement results announced in public to pass the process. However, in the reverse process 
in which Trent authenticates Eve (the fake Alice), Eve who does not know Alice's key cannot 
decode back the encoded qubit and thus cannot escape from the check by Trent as there will 
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be a high error rate occurred when Trent compares Eve's qubit measurement results with 
his in the verifying set V of the checking step. In addition, we show below that Eve also 
cannot obtain any useful information about Alice's secrete key AKa- When the authentication 
process starts, Trent follows the protocol to perform an operation H/I on each of the particles 
in the sequence A according to the bit value of 0/1 of AKa- Suppose that Eve does nothing 
(she may do any operation but that will not affect the main conclusion of the following 
analysis) as she has no idea about the bit value of AKa- The resultant state after Trent's 
next operation I/H operation is ^(|0+) + \1—))te if the bit value of AK A is 0, and is 
■j- (| + 0) + | - 1))te = 75 (|0+) +\1-))te if the bit value of AKa is 1, where |±) = ^(|0)± 
|1)) are the eigenstates of the X operator with eigenvalues ±. Note that Trent's later I/H 
operation on his particle in the sequence T according to the bit value 0/1 of AKa is opposite 
to his first encoding operation. The encoding operation of I/H on the particle in the sequence 
A is, however, according to the bit value of 1/0. These operations make Trent's resultant Z- 
basis qubit measurement results with equal probability of being either or 1 independent of 
the bit value of 0/1 of AKa- So if Trent then follows the protocol to announce the Z-basis 
measurement result of his qubit (particle) in the verifying set V one by one, then no matter 
what the bit value of AKa is, his measurement result will half-chance be and half-chance 
be 1. Another case is the intercept- and- C NOT attack. That is, if in the beginning, Eve 
also introduces an ancilla qubit E a being in |0) state and performs a CNOT operation on 
the intercepted qubit E and the ancilla qubit, then the resultant state after Trent's I/H 
operation are both in -i=[|0)(|00) + |11)) + 1 1) ( 1 00 — 11))]tbb oI no matter what the bit value 
of AKa is. Similar to the above scenario, regardless of Eve's subsequent operations, Trent 
will announce his Z-basis qubit measurement results with equal probability of being either 
or 1, no matter what the bit value of AKa is. So no information of the secret key is 
revealed by Eve's intercept attack in both of the above cases. In the reverse authentication 
process, since Eve does not know Alice's key, she cannot decode back the original EPR state. 
Suppose again Eve does nothing (she may do any operation but that will not affect the main 
conclusion of the following analysis). The resultant pair state in the verifying set V will be 
^(|0+) + \1-))te if the bit value of AK A is 0, and is ^(|00> + |11)) TB if the bit value 
of AKa is 1. So the fake Alice's (Eve's) qubit measurement result with equal probability of 
being either or 1 cannot infer useful information about the real Alice's authentication key. 
It is obvious to see that Eve may do any operation instead of doing nothing on her qubits, but 
her measurement results will have no relation at all with the Alice's key. So Eve's intercept 
attack can catch nothing except being discovered. 

Third, Eve could use intercept- and-resend attack, i.e., Eve first intercepts Trent's EPR 
particle A sent toward Alice, and then transmits the particle Ea of the EPR pair that she 
prepared to Alice instead. Eve keeps particles A and E in her hands, which are entangled, 
respectively, with the Trent's and Alice's particles. Eve may also try to first prepares an 
additional ancilla qubit in the |0) state and entangles it with Trent's EPR state or with her 
prepared EPR pair by CNOT operation. Without knowing Alice's authentication key, Eve's 
attack cannot pass Trent's authentication as stated above. In addition, Eve will again obtain 
no information of the secrete key bit when she try to authenticates Trent or authenticate Alice 
with the similar reasons stated also above. As a result, Eve's intercept- and-resend attack will 
also fail, and Eve will not get any useful information of the secret keys, either. 
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From the above analysis, Eve's several possible attacks will be discovered during our 
authentication process and furthermore, Eve cannot infer useful information about Alice's 
authentication key. As a consequence, the authenticator and client users can all make sure 
each time whether the parties who share the entanglement pairs with themselves own the 
authentication keys or not and make sure that the secret key bits will not be revealed or be 
inferred from the quantum or classical channels in our mutual authentication QDC protocol. 

Besides having the ability to discover the possible different attacks from Eve, our authen- 
tication scheme can also avoid the attack by Trent if he prepares different initial states and 
tries to steal the client users' messages. In the protocols by Lee et al. [22] and by Zhang et al. 
[23] as well as in our protocol, Trent, as an authenticator, is considered to be more powerful 
than the rest of other parties or users since all the users' secret identities are known to him, 
and all the quantum resources are issued by him. Thus in our protocol, we use a mutual 
authentication scheme in which a user possesses extra ancilla qubits, can perform CNOT 
gates between his/her qubits and the ancilla qubit, and perform local operations (I/H and 
1 1 X) and quantum measurements on the ancilla qubits when the user authenticates Trent. 
This authentication process may appear slightly more complicated than that of the QKD-likc 
scheme and than that of the protocols by Lee et al. [22] and by Zhang et al. [23] . But the way 
that the user can issue more quantum resources (extra ancilla qubits and manipulations and 
measurements on the ancilla qubits) when authenticating Trent is the key point in our pro- 
tocol to prevent the attacks by the authenticator Trent if he prepares different initial states, 
while the above mentioned protocols fail to prevent (see, e.g., discussions in Sec. [2] and in 
Refs. [22j [23]). If now suppose Trent prepares initial GHZ states (|00) + |11))tba instead 
of EPR states that he is supposed to prepare. This unfaithful action of Trent is similar to 
the Eve's intercept- and- CNOT attack mentioned above, but the difference is that now Trent 
knows the authentication keys. The QKD-like with an authenticator scheme will be vulner- 
able to this initial GHZ state attack by Trent (though the detailed steps of how this may 
happen are not shown here) . We show below that this illegal action of Trent will be discov- 
ered in the verifying set V of the checking Step 6 of our authentication process illustrated in 
Sec. 13.21 The checking procedure starts from Alice's CNOT operation on her particle A and 
the prepared ancilla particle a. This operation will entangle the three particles in the GHZ 
state with the ancilla particle, and will result in a state expressed as -^(|0000) + |llll))T,EAa- 
The next step will depend on the bit value of the shared secret key AKa- When the ith bit 
value of AKa is 1, Alice will make H operations separately on her two qubits (particles), i.e., 
A and a, in the ith position in the verifying set V . For the purpose of discovering Trent's 
illegal action, there is no difference here whether Trent will follow the protocol to make his 
subsequent quantum operations or not. For simplicity, we suppose that Trent follows the 
protocol and does the same H operations on his qubits when the ith bit value of AK? is 
1. Suppose now that the the ith bit value of AKt is 1. The state of the four qubits will 
become ^={[(|00> + 111»|0> + (|01> + ]10»|1>]|0> - [(|00> + 111»|1) + (|01) + |10))|0)]|l)} T ^ a . 
Alice then measures the state of the ancilla particle in the Z-basis, and if the measurement 
result is 0, she will do nothing before her next .Z-basis measurement on particle A. Otherwise, 
she will make an X operation on her particle A before the iJ-basis measurement. Therefore, 
after Alice measures her ancilla particle and performs the subsequent / or X operation, the 
remaining three-particle state will become either ^=[(|00) + |11))|0) + (|01) + |10))|1)]t,ea 
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or -i=[(|00) + |11))|1) + (|01) + |10))|0)]t£M , corresponding to ancilla's measurement result 
that is either or 1, respectively. It is not hard to see, for each bit value of AKa to be 1, 
Trent's measurement result will, half the time, not match Alice's measurement result. The 
main reason is that the ancilla particle (qubit) is prepared by the verifier, Alice. Trent can 
neither operate on the ancilla qubit nor know its measurement result, so he cannot dominate 
in the authentication process. Since Alice will discover the illegal action of Trent (similar to 
the existence of Eve despite he knows the authentication key) if Trent indeed prepares differ- 
ent initial states in the authentication process, she will stop the subsequent communication 
process and thus her secret message will not leak out. 

In summary, it may appear that both our scheme and the QKD-like scheme require some 
shared authentication keys (secrets) to begin with to perform mutual authentication, though 
they are used in different ways. But one of significant differences is that the secret key bits 
in the QKD-like scheme that uses the Wegman-Carter authentication scheme j3U] need to be 
different each time and thus eventually need to be refreshed (replaced) in order to guarantee 
the absolute security of the authenticated classical channels [31] . If one uses quantum chan- 
nels to refresh the shared secret keys, this will make the QKD-like scheme be exactly similar 
to formal QKD rather than QDC that is intended here. Our QDC protocol may, however, use 
the same shared key bits each time without compromising the system's security, at least in 
the possible attacks by Eve analyzed above. In addition, we have pointed out that the QKD- 
like scheme with direct mutual authentication between any two users may not be practical 
in the implementation of a realistic quantum communication networks. So a scheme with an 
authenticator Trent who not only provides EPR pair qubits but also involves in the authen- 
tication process should be considered in the QKD-like scheme. Furthermore, the QKD-like 
with an authenticator scheme may still be vulnerable to the attack by the authenticator, if 
the authenticator prepares different initial states (though the detailed steps of how this may 
happen are not shown here). Our QDC protocol, on the other hand, can discover this attack 
of Trent's illegal action and can prevent the secret message from leaking out. 

5 Conclusion 

To summarize, it has been shown that the protocols proposed by Lee et al. [22] and the 
improved version by Zhang et al. |23j cannot prevent the authenticator Trent from knowing 
the secret message. To overcome these problems, we have presented a new quantum protocol 
that uses the resources of the Bell states, the local operations and the entanglement swap- 
ping. In our proposed QDC protocol, the message communication process only starts after the 
successful authentication process. The authenticator Trent, after finishing his authentication 
job, will leave the users alone to communicate with each other and to send the secret message 
between themselves. Our protocol hence can prevent the real authenticator Trent from know- 
ing the secret message, a problem that the protocols proposed by Lee et al. and Zhang et al. 
fail to resolve. The Bell measurements by Trent in the communication process will cause the 
entanglement swapping. The authenticated users/parties can then communicate with each 
other securely with the resources of the entangled Bell pairs between them. In the message 
transmission process, the concept of the local unitary operations and the entanglement swap- 
ping is again used to encode and transmit the secret message. So no direct quantum link 
is required between any two users, say Alice and Bob, who want to communicate with each 
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other. This might be an appealing advantage in the practical implementation of a realistic 
quantum communication network. It also avoids possible eavesdroppers to gaining any mean- 
ingful information of the secret message in the communication process. The authenticator 
Trent can do almost everything in an authentication network, the mutual authentication is 
therefore introduced in our protocol to prevent the attacks from an imposter Trent. Our 
mutual authentication protocol can thus achieve secure QDC provided that the authenticator 
Trent will do his authentication job faithfully. The protocols proposed by Lee et al. and 
Zhang et al, on the other hand, also fail to prevent illegitimate party to step in and act 
as the authenticator. If, however, the genuine authenticator Trent would ask a fake Bob to 
receive the secret message from Alice in our protocol, this could also be possibly prevented 
by allowing the users/clients to access the classical public channel at any time. If someone 
pretends to be Bob to communicate with Alice, the real Bob may discover this event during 
the attack. 
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